Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Storm-2561 fake enterprise VPN Hyrax infostealer activity

Malware Activity
First reported
Last updated
Happening score
H score 21
1 unique sources, 1 articles

Summary

Hide ▲

A fake enterprise VPN installer is now delivering Hyrax infostealer components that steal VPN credentials and maintain persistence on Windows systems. The operation matters because it disguises itself as legitimate VPN software, captures login data, and can keep reusing infected hosts for follow-on access.

Related Happenings

Fake Claude PlugX phishing campaign

Campaign
First: 13.04.2026 12:52 Last: 13.04.2026 12:52 Sources 1

About this happening: A **February** phishing campaign used a **fake Claude website** and **fake meeting invitations** to deliver **PlugX** malware to recipients, turning a popular AI brand into a malw...

Latest development: 07.05.2026 13:02

A fake Claude AI site at claude-pro[.]com distributed Claude-Pro-windows-x64.zip, which drops NOVupdate.exe, NOVupdate.exe.dat, and avk.dll to sideload DonutLoader and load the Beagle backdoor on Windows. The backdoor uses license[.]claude-pro[.]com for command-and-control over TCP 443 and/or UDP 8080, and related Beagle samples were submitted to VirusTotal between February and April this year.

Open Happening

Warlock ransomware post-exploitation tooling upgrades

Malware Activity
First: 17.03.2026 17:36 Last: 17.03.2026 17:36 Sources 1

About this happening: The **Warlock ransomware group** has upgraded its post-exploitation toolset with **BYOVD**, **TightVNC**, and **Yuze**, making intrusions harder to detect and interrupt. In an obs...

Open Happening

Storm-2561 SEO-poisoning VPN credential-theft campaign

Campaign
First: 13.03.2026 15:38 Last: 13.03.2026 15:38 Sources 1

About this happening: The **Storm-2561** group is running a **credential-theft campaign** that uses **SEO poisoning** and fake **VPN clients** to steal **VPN credentials** from people searching for ent...

Open Happening

SocksEscort criminal proxy-service ecosystem monetizing residential routers

Threat Actor Meta
First: 13.03.2026 07:26 Last: 13.03.2026 07:26 Sources 1

About this happening: The **SocksEscort** proxy-service ecosystem turned compromised residential routers into a rentable abuse platform, letting criminal customers hide behind **369,000 IP addresses**...

Open Happening

AVRecon malware for Linux powering SocksEscort proxy network

Malware Activity
First: 12.03.2026 18:19 Last: 12.03.2026 18:19 Sources 1

About this happening: The **AVRecon** malware for Linux powered the **SocksEscort** proxy network, turning compromised **Linux-based SOHO routers** into traffic-routing nodes at scale. It was believed...

Open Happening

Timeline

  1. 13.03.2026 15:23 2 articles · 2mo ago

    Microsoft details Storm-2561 fake VPN credential-theft campaign

    Technical Analysis Update

    Microsoft detailed a Storm-2561 campaign that used SEO poisoning and spoofed enterprise VPN download pages for Ivanti, Cisco, Fortinet, and other vendors to lure users to a fake GitHub-hosted MSI installer. When executed, the installer dropped `Pulse.exe`, `dwmapi.dll`, and `inspector.dll`, stole VPN credentials and `connectionsstore.dat`, persisted through the Windows `RunOnce` registry key, showed an installation error to reduce suspicion, and redirected victims to the legitimate vendor site; Microsoft also published IoCs and hunting guidance.

    Show sources
    Open in new tab